Examining the EO Mandate on Supply Chain Risk Management

The Biden Administration Executive Order includes a pretty significant new set of development disclosure requirements for any Independent Software Vendor (ISV) wanting to do business with Civilian Federal agencies, that includes current vendors and future vendors.   These requirements are not going to be fully detailed for several months and when they are, will not change much for agencies besides ensuring compliance.  The compliance steps will likely be well defined for them and simply add some paperwork and processes to the purchasing steps.

The danger in the next year or two is that a current ISV that provides value to the agency will not be compliant in time, requiring a waiver or replacement.  It is in each agency’s best interest to develop a list of critical vendors, as well as contact information, to communicate the new requirements.  

When the new guidelines and timelines are issued, the agency should confirm and document that the vendor intends to take the steps necessary to be compliant and in what  timeline. Depending on the answer, an agency can begin the process to either renew with new documentation, attain a waiver to retain the vendor without compliance, or replace the vendor with a new, compliant competitor.

In a perfect world, the civilian agency will be able to pull a list of their ISVs from the SWAM (Software Asset Management) information on their CDM Dashboard and classify their importance by business owner.  This may not be available, requiring the agency to develop this information through other governance resources in the environment.  In either case, the process should start now and not wait for the guidance to be issued.